Krebs on Security

In-depth security news and investigation

Posts Tagged: phishing

In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data from victims.

Sunnyvale, Calif. based security firm Proofpoint said it recently detected a four-week spam campaign sent to a small number of organizations and targeting primarily Brazilian Internet users. The emails were made to look like they were sent by Brazil’s largest Internet service provider, alerting recipients about an unpaid bill. In reality, the missives contained a link designed to hack that same ISP’s router equipment.

According to Proofpoint, the link in the spam campaign led to a page that mimicked the telecom provider. The landing page included code that silently attempted to execute what’s known as a cross-site request forgery attack on known vulnerabilities in two types of routers, UT Starcom and TP-Link. The malicious page would then invoke hidden inline frames (also known as “iframes”) that try to log in to the administration page of the victim’s router using a list of known default credentials built into these devices.

If successful, the attacker’s script would modify the domain name system (DNS) settings on the victim’s router, adding the attacker’s own DNS server as the primary server while assigning the secondary DNS server to Google’s public DNS (8.8.8.8). Such a change would allow the attackers to hijack the victim’s traffic to any Web site, redirecting it away from the legitimate site to a look-alike page designed to siphon the victim’s credentials. In the event that the attacker’s DNS server was unresponsive for any reason, the victim’s router would still function normally.

The malicious script used by the spammers in this campaign tries multiple default credentials in a bid to hijack routers with factory-default settings. Image: Proofpoint.

The real danger of attacks like these is that they bypass antivirus and other security tools, and they are likely to go undetected by the victim for long periods of time. Continue reading →

The Washington Post acknowledged today that a sophisticated phishing attack against its newsroom reporters led to the hacking of its Web site, which was seeded with code that redirected readers to the Web site of the Syrian Electronic Army hacker group. According to information obtained by KrebsOnSecurity, the hack began with a phishing campaign launched over the weekend that ultimately hooked one of the paper’s lead sports writers.

This phishing page used by the Syrian Electronic Army spoofed The Post’s’ internal email login page.

On Tuesday morning, KrebsOnSecurity obtained information indicating that a phishing campaign targeting the Post’s newsroom had been successful, and that the attackers appear to have been seeking email access to Post reporters who had Twitter accounts. The Post did not respond to requests for comment.

Update, August 16, 10:07 a.m. ET: Post spokesperson Kris Coratti finally responded, stating that the phishing attack and the site compromise were two separate incidents, and that one did not necessarily lead to the other. She emphasized that the site hack was the result of an attack on Outbrain, a third-party content recommendation site.

Original story:

But in a brief acknowledgment published today, The Post allowed that it had in fact been hacked, and in an update to that statement added that the source of the compromise was a phishing attack apparently launched by the SEA. From that message:

“A few days ago, The Syrian Electronic Army, allegedly, subjected Post newsroom employees to a sophisticated phishing attack to gain password information. The attack resulted in one staff writer’s personal Twitter account being used to send out a Syrian Electronic Army message. For 30 minutes this morning, some articles on our web site were redirected to the Syrian Electronic Army’s site. The Syrian Electronic Army, in a Tweet, claimed they gained access to elements of our site by hacking one of our business partners, Outbrain. We have taken defensive measures and removed the offending module. At this time, we believe there are no other issues affecting The Post site.”

According to sources, Post sports writer Jason Reid was among those who fell for a phishing scam that spoofed The Posts’s internal Outlook Web Access email portal (see screenshot above). Reid’s hacked email account was then used to send additional — likely malware-laced — phishing emails to other newsroom employees (see screenshot below). Reid did not respond to requests for comment.

Other well-known Posties came close to be tricked by the phishing attack. One of those nearly-phished was veteran Post staffer Gene Weingarten, one of the Post’s Pulitzer Prize winning editors and writers. Reached via email for comment, Weingarten was characteristically self-effacing about the whole ordeal (full disclosure: Gene edited my very first story to appear in The Washington Post, a 1996 Style section piece about living in the late President Gerald Ford‘s house, titled, “My Gerry Built Home“).

“I was phished….one of four, but I never entered any creds,” Weingarten wrote. “I’m stupid, but not THAT stupid.”

This type of phishing attack bears the hallmark of the SEA, which has taken credit for hijacking the Twitter accounts of several news outlets, perhaps most famously that of The Associated Press earlier this year. That campaign — which culminated in an unauthorized tweet sent from the AP’s Twitter account falsely claiming that bombs had exploded in the White House — briefly sent the Dow Industrial Average down 140 points.

As this incident highlights, phishing attacks and the phishers themselves are growing in sophistication. A survey released last month by Verizon Communications Inc. found nearly every incident of online espionage in 2012 involved some sort of phishing attack.

Update, August 16, 11:00 a.m. ET: One astute reader pointed out that the numeric Internet address (31.170.164.145) connected to the domain (site88[dot]net – see first screen shot above) used in the phishing attack against the Post this past weekend resides on the same subnet and hosting provider as blogs and Web sites belonging to some of the top Syrian Electronic Army members, including:

The recent massive data leak from email services provider Epsilon means that it is likely that many consumers will be exposed to an unusually high number of email-based scams in the coming weeks and months. So this is an excellent time to point out some useful resources and tips that can help readers defend against phishing attacks and other nastygrams.

Don’t take the bait: Many people are familiar with the traditional phishing attack, which arrives in an email that appears to have been sent from your bank or ISP, warning that your account will be suspended unless you take some action immediately, usually clicking a link and “verifying” your account information, user name, password, etc. at a fake site. Commercial emails that emphasize urgency should be always considered extremely suspect, and under no circumstances should you do anything suggested in the email. Phishers count on spooking people into acting rashly because they know their scam sites have a finite lifetime; they may be shuttered at any moment (most phishing scams are hosted on hacked, legitimate Web sites). If you’re really concerned, pick up the phone (gasp!) and call the company to find out if there really is anything for you to be concerned about.

Links Lie: You’re a sucker if you take links at face value. For example, this might look like a link to Bank of America, but I assure you it is not. To get an idea of where a link goes, hover over it with your mouse and then look in the bottom left corner of the browser window. Yet, even this information often tells only part of the story, and some links can be trickier to decipher. For instance, many banks like to send links that include ridiculously long URLs which stretch far beyond the browser’s ability to show the entire thing when you hover over the link. The most important part of a link is the “root” domain. To find that, look for the first slash (/) after the “http://” part, and then work backwards through the link until you reach the second dot; the part immediately to the right is the real domain to which that link will take you. Want to learn more cool stuff about links? Check out this guy’s site and you’ll be a link ninja in no time.

Scammers typically kick into high gear during tax season in the United States, which tends to bring with it a spike in phishing attacks that spoof the Internal Revenue Service. Take, for example, a new scam making the rounds via email, which warns of discrepancies on the recipient’s income tax return and requests that personal information be sent via fax to a toll-free number.

A new phishing campaign that began sometime in the last 24 hours is made to look like it was sent from irs@irsonline.gov, and urges recipients to fill out, print, and fax an attached PDF tax form. From the scam email:

*This is in reference to your 2010 U.S. Individual Income Tax Return we seem to have some discrepancies with your filing. If you have already filed for your 2010 tax refund please get hold of a new form 1040 and
mail it to the Department of the Treasury in your region.*

*If for any reason you have not yet filed for your 2010 Individual
Income Tax Return please print out the attached PDF form, fill it and
fax it to the IRS data center on (866) 513-7982 within 24 hours.*

*This has no bearing on your 2010 U.S. Individual Income Tax Return,
this to update our data and survey while we prepare to close the 2010
tax filing season.*

*Thank you *

That 866- phone number is currently returning a fast-busy signal, which suggests either that a lot of people are falling for this scam, or that anti-scammers are speed-dialing the number in a bid to prevent would-be victims from faxing in their forms. My guess is that this scam is tied to some kind of automated service that scans faxes and then emails the phishers copies of the scanned images.

The IRS has been careful to note that while it may conduct follow-up correspondence with taxpayers via email if the taxpayer chooses to communicate that way, it will never reach out to taxpayers via email. Consumers can report any tax-related phishing scams to phishing@irs.gov.

Google has added a new security feature to its search engine that promises to increase the number of Web page results that are flagged as potentially having been compromised by hackers.

The move is an expansion of a program Google has had in place for years, which appends a “This site may harm your computer” link in search results for sites that Google has determined are hosting malicious software. The new notation – a warning that reads “This site may be compromised” – is designed to include pages that may not be malicious but which indicate that the site might not be completely under the control of the legitimate site owner — such as when spammers inject invisible links or redirects to pharmacy Web sites.

Google also will be singling out sites that have had pages quietly added by phishers. While spam usually is routed through hacked personal computers, phishing Web pages most often are added to hacked, legitimate sites: The Anti-Phishing Working Group, an industry consortium, estimates that between 75 and 80 percent of phishing sites are legitimate sites that have been hacked and seeded with phishing kits designed to mimic established e-commerce and banking sites.

It will be interesting to see if Google can speed up the process of re-vetting sites that were flagged as compromised, once they have been cleaned up by the site owners. In years past, many people who have had their sites flagged by Google for malware infections have complained that the search results warnings persist for weeks after sites have been scrubbed.

Denis Sinegubko, founder and developer at Unmask Parasites, said Google has a lot of room for improvement on this front.

“They know about it, and probably work internally on the improvements but they don’t disclose such info,” Sinegubko said. “This process is tricky. In some cases it may be very fast. But in others it may take unreasonably long. It uses the same form for reconsideration requests, but [Google says] it should be faster…less than two weeks for normal reconsideration requests.”

A couple of readers have written in to say they recently received automated telephone calls warning about fraud on their credit card accounts and directing them to call a phone number to “verify” their credit card numbers. These voice phishing attacks, sometimes called “vishing,” are a good reminder that today’s scam artists often abuse a range of modern technologies to perpetrate old-fashioned fraud.

Graphic courtesy Internet Identity

Phone phishing schemes often begin with a pre-recorded message that prompts the recipient to call a supplied telephone number — frequently a toll-free line. Usually, the calls will be answered by an interactive voice response system designed to coax account credentials and other personal information from the caller.

Lures for these telephone phishing attacks also are sent via text message, a variant also known as smishing. Indeed, the Sacramento Bee warned last week that residents in the area were receiving text messages spoofing the Yolo Federal Credit Union.

A new report (PDF) from anti-phishing vendor Internet Identity found that credit unions continue to be a favorite target of smishing attacks, and that text-to-phone scams used a toll-free number in about half of the lures sent in the first quarter of 2010.

Internet Identity also tracked at least 118 smishing attacks in the first quarter of 2010, although the company said that number represents a 40 percent drop in these scams over the last three months of 2009.

It may be hard to imagine how many people actually fall for these scams, but you might be surprised. In March 2008, I wrote about an extremely complex vishing attack that targeted customers of multiple credit unions. A source I interviewed for that story later managed to make a copy of one of the servers that these crooks used to accept incoming calls for this scam, which ran uninterrupted from Jan. 13, 2008 to Feb. 21. From that story: “During that time, the phishers sent millions of text messages, and records from that server show that roughly 4,400 people called the fake bank phone number as directed. Out of those, 125 people entered their full credit/debit card number, expiration and PIN.”

Have you or someone you know recently received one of these scam phone calls or texts? Sound off in the comments below.

Phishing may not be the most sophisticated form of cyber crime, but it can be a lucrative trade for those who decide to make it their day jobs. Indeed, data secretly collected from an international phishing operation over 18 months suggests that criminals who pursue a career in phishing can reap millions of dollars a year, even if they only manage to snag just a few victims per scam.

Phishers often set up their fraudulent sites using ready-made “phish kits” — collections of HTML, text and images that mimic the content found at major banks and e-commerce sites. Typically, phishers stitch the kits into the fabric of hacked, legitimate sites, which they then outfit with a “backdoor” that allows them to get back into the site at any time.

About a year and a half ago, investigators at Charleston, S.C. based PhishLabs found that one particular backdoor that showed up time and again in phishing attacks referenced an image at a domain name that was about to expire. When that domain finally came up for grabs, PhishLabs registered it, hoping that they could use it to keep tabs on new phishing sites being set up with the same kit.

The trick worked: PhishLabs collected data on visits to the site for roughly 15 months, and tracked some 1,767 Web sites that were hacked and seeded with the phishing kit that tried to pull content from the domain that PhishLabs had scooped up.

PhishLabs determined that most of the phishing sites were likely set up by a single person — a man in Lagos, Nigeria that PhishLabs estimates was responsible for about 1,100 of the phishing sites the company tracked over the 15 month experiment.

A metals supply company in Michigan is suing its bank for poor security practices after a successful phishing attack against an employee allowed thieves to steal more than half a million dollars last year.

The lawsuit, filed by Experi-Metal Inc. (EMI), in Sterling Heights, Mich., charges that Dallas-based Comerica Bank effectively groomed its customers to become phishing victims by routinely sending them e-mail messages that asked recipients to click a link to update the bank’s security technology. The company also alleges that Comerica’s security protections for customers are not commercially reasonable, because the phishing scam routed around the bank’s 2-factor authentication system.

According to a complaint EMI filed in December with a Michigan circuit court, for many years Comerica used “digital certificates” for authenticating online banking customers. Digital certificates are the browser-based counterparts to ATM cards, and many banks require customers to include the bank’s cryptographically signed digital certificate in their browser before the bank’s online system will allow users access.

Once a year from 2000 to 2008, Comerica sent emails to EMI and other customers directing them to click on a link in the email, and then log in at the resulting Web site in order to renew the digital certificate that Comerica required.